This is a place for me to ruminate about Privacy. Since I work as Google's Global Privacy Counsel, I need to point out that these ruminations are mine, not Google's. Please don't attribute them to Google.

Friday, May 7, 2010

Given the nature of the Internet, all web services are inherently global. All companies doing business on the Internet rely on the collection, storage and analysis of information generated by users, and all of them are confronted by the lack of consistency in the applicability and content of privacy laws across jurisdictions. So, I’ve struggled with the following three questions:

What are the current rules establishing the application of privacy laws around the world?

Do the current rules work?

How could we create clearer rules, to provide greater consistency and certainty?

There are three different jurisdictional approaches to determine the applicability of privacy and data protection laws around the world.

1.1Location of the organization using the data

This is the principle under Article 4(1)(a) of the EU Data Protection Directive, which looks at the place of origin of the organization that makes decisions about the uses of the data and determines the applicability of the law on that basis. This approach is also used in Canada, where the Federal Personal Information Protection and Electronic Documents Act (“PIPEDA”) controls the collection, use and disclosure of personal information in the course of the commercial activities of organizations that are federal works, undertakings or businesses.

In both cases, the law applies to an organization established in that particular jurisdiction irrespective of where in the world the actual processing takes place. In the EU where the organization is established in several EU countries, the organization must take the necessary measures to ensure that each of these establishments complies with local law obligations. Under PIPEDA, Canadian entities transferring data outside the country must have provisions in place to ensure a comparable level of protection to that granted by the law.

1.2Location of the people whose data is being used

This is typically the USA approach under the Federal Children’s Online Privacy Protection Act (“COPPA”) and the data breach notification laws enacted by the majority of individual states. For example, COPPA will apply to operators of websites directed at children within the USA, while a serious data breach affecting a Californian resident must be notified to that person irrespective of who is responsible for the data or where the data breach occurred. This is also the approach in the laws of other jurisdictions like Australia and New Zealand where certain provisions apply in respect of Australian citizens and New Zealand residents respectively.

1.3Place where the actual processing happens

The EU Data Protection Directive relies on this approach in Article 4(1)(c) to claim jurisdiction on the basis of the use of equipment situated in the EU where the organization is not located in the EU. Many other jurisdictions around the world follow this approach, like Argentina (i.e. law applies to any processing in the national territory), Israel (i.e. law applies to acts that occur in Israel) and even new laws like South Africa’s Protection of Personal Information Act which follows the EU Article 4 model (i.e. law applies both to when a party is domiciled in South Africa and when not domiciled but using means situated in South Africa).

As a result of the different approaches mentioned above (which are often combined - as in the EU), organizations using the Internet, multinational organizations and those engaging global service providers find themselves caught by the laws of many different jurisdictions. Examples of the practical problems caused by this include the following:

2.1Multinational operations

Multinationals with established operations in many parts of the world face different rules affecting each subsidiary or affiliate. Since there is no international consistency determining the content and obligations under data protection and privacy laws, to be compliant a multinational must review the specific obligations under local law in each case. This is even the case within the EU despite the fact that EU data protection law at a local level emanates from the same source – the EU Data Protection Directive. The result is that a global company seeking to develop a consistent approach across all of its operations is required to create a tailored solution for specific jurisdictions according to the quirks of local law. This is not simple for companies operating standardized global web services.

Internet businesses which transact with individuals who are based in jurisdictions that claim jurisdiction when their citizens’ or residents’ data is being used, will find themselves subject to laws that bear no connection with the place of establishment of that business. For instance, an EU based internet business should be alert to any customers who are Californian residents since Californian data breach laws apply to an organization wherever it is located. Internet businesses must therefore anticipate the application of laws with which they have no real connection. Alternatively an Internet business might consider putting in place a defensive measure to ensure that it does not transact with individuals from those jurisdictions to protect itself from the application of foreign laws, but that approach violates the spirit of the open global Internet.

2.2Use of equipment

Relying on the use of equipment in a particular jurisdiction (perhaps including the computers of end users) to determine the application of the law could mean that the laws of every single EU Member State will apply to every website operator in the world that uses cookies to gather browsing-related information. This result is due to the interpretation of the scope of ‘equipment’ under EU law and the view of EU regulators that website operators that place cookies on a user’s computer based in the EU without the control of the user, make use of equipment in a way that is caught by EU law. This shows that relying on ‘equipment’ to establish jurisdiction is unworkable.

2.3Cloud computing: where the processing happens

Cloud computing is directly affected because the dynamic nature of this practice is at odds with the approach based on where the actual processing happens. Part of its agile functionality enables cloud computing to switch between processing data in one location to another location in order that customers are provided with an efficient, affordable and consistent service. Where the processing of data switches according to this technology this could have a knock on effect of changing which law applies to the processing thus introducing uncertainty.

2.4Cloud computing: where the equipment is located

Another problem for cloud computing is that if the servers of the service provider are based in Europe, any overseas customer could be subject to EU law. Due to the structure of cloud computing technology and the network of servers that are used to deal with demand, a customer based outside the EU may find their data being stored on an EU server. Consequently, under EU rules the equipment (i.e. the server) is located in the EU and EU law applies even though the customer has no other connection with the EU.

Current models for determining the application of privacy law present complicated problems and unintended consequences which are unsuitable to deal with the changing pace of technology and the realities of global business. It is vital that more appropriate and flexible ways are found to address the practical problems created by the different jurisdictional approaches. Alternative approaches could include:

3.1International privacy standards

The most obvious way of resolving the conflicts created by the different regulatory regimes would be to have just one global privacy regime. The initiative led by the AEPD and approved in Madrid during the International Privacy Commissioners’ Conference is a step in that direction. The initiative recognises that the current approaches in reality provide less protection for individuals and more complexity for businesses.

3.2Treaty dealing with conflicts of law

As with other areas like contractual disputes, there could be an international treaty setting out which law would apply in the event of a potential conflict. Establishing such a treaty would help to provide certainty for businesses and individuals when situations of conflict arise.

3.3Country of origin and accountability principle

A key rule to be established by an international treaty would be to apply the law of the country where the main operations reside (e.g. place of establishment of parent company, HQ, etc.) and make the provisions of that law follow the use of the data globally. Following a country of origin principle would bring data protection rules into line with the underlying principle governing e-commerce in the EU. Furthermore it would allow businesses to develop a coherent and consistent global compliance framework to deal with customers on the same terms wherever a customer is located. Adopting a consistent approach would also encourage greater accountability as the business would adopt one defined standard.

3.4Voluntary submission to one regime

Governments and/or regulators could agree to allow organizations to choose one lead jurisdiction (based on objective, pre-established criteria). In the context of the EU, this is certainly viable as demonstrated by the "lead regulator" concept used in the area of Binding Corporate Rules applications. By submitting to one lead regime or jurisdiction, the organization would then abide by the rules of that regime enabling the business to be certain which law applies to its operations.